WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [summary] Re: Should login pages be protected by SSL?

From: Michael Silk <michaelslists () gmail com>
Date: Fri, 24 Jun 2005 11:09:42 +1000
If the login form is itself protected by https, then the bar for a
phish is raised to getting a certificate for that domain. With a plain
text login page, the bar for attacking is much lower.


No, it isn't.

You need to realise no-one cares about certificates.

No-one cares.

Nobody.

...

No-one !

And trying to _make_ them care (via TrustBar and others) doesn't seem
like a great idea to me; as their trust in a system like that can be
exploited also.

-- Michael
Previous By Date Next
Previous By Thread Next

Current thread: